CN1308277A - Method and system for improving computer safety during ROM scanning - Google Patents

Method and system for improving computer safety during ROM scanning Download PDF

Info

Publication number
CN1308277A
CN1308277A CN00132810A CN00132810A CN1308277A CN 1308277 A CN1308277 A CN 1308277A CN 00132810 A CN00132810 A CN 00132810A CN 00132810 A CN00132810 A CN 00132810A CN 1308277 A CN1308277 A CN 1308277A
Authority
CN
China
Prior art keywords
test
input
user
self
rom
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN00132810A
Other languages
Chinese (zh)
Other versions
CN1121010C (en
Inventor
理查德·艾兰·达严
罗伯特·杜安尼·约翰森
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lenovo Singapore Pte Ltd
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Publication of CN1308277A publication Critical patent/CN1308277A/en
Application granted granted Critical
Publication of CN1121010C publication Critical patent/CN1121010C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2211/00Indexing scheme relating to details of data-processing equipment not covered by groups G06F3/00 - G06F13/00
    • G06F2211/1097Boot, Start, Initialise, Power

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

A system and method of improving security during power-on-self-test (POST), particularly the ROM scan portion identifying ROM adapters, while selectively allowing user input. While a user input during ROM scan may be normally locked out to prevent the user from making changes to the configuration of the system, when the ROM scan during POST detects a ROM adapter which uses an input from the user, the system can override the lockout and allows for a user input. An optional control, such as a password or other personal identifier, can provide security.

Description

Be used to improve method and system at ROM scan period computer security
The present invention relates to its inventor is Robert Duane Johnson; Randall ScottSpringfield; U.S. Patent Application Serial Number No.09/052 Joseph Wayne Freeman and Ralph Bonomo, that apply on March 31st, 1998; 733, be entitled as " protection of personal computer ROM sweep start ", the assignee of this application is assignee of the present invention.This patent is known as ROM scanning patent here sometimes, and disclosing of this patent is used as reference thus here.
The present invention relates to improve the security of computing machine.More particularly, the present invention optionally allows a input from a user during ROM when scanning during by start-up course, and the system and method for an improvement of people's computing machine one by one is provided.
In this field, well-known is that personal computer is used to provide various data handling utilities.This personal computer generally includes the various input and output devices that are connected to a processor, and has preserved an operating system in the storer of this personal computer.This system comprises the program of a Power-On Self-Test (POST), when this computing machine is opened for the first time, this Power-On Self-Test program carry out work confirm to be connected to processor various input and output devices existence and confirm its condition of work.During POST, some specific memory device block of address space is scanned existing (as well-known in this field with one (perhaps a plurality of) sign indicating number that confirms to be called an adapter ROM, other memory technology, for example flash memory also can be used to substitute ROM), adapter ROM is used to connect specific peripheral apparatus, and sets up suitable starting condition for these peripheral apparatus.If found such adapter ROM in this memory address space, this adapter ROM carries out initialization routine and configuration routine then, this be so-called process of " ROM scanning ".In ROM scan period, the responsive memory area (preservation configuration information) in can access computer is to preserve the data as the ROM scanning result.Because these memory areas also relate to the problem of the secure context of personal computer, so control user input also is very important, to avoid inappropriate action, be designed in the interior security feature of PC operating system (and Power-On Self-Test program) with destruction.
ROM scanning patent is pointed out, during ROM scanning process and common POST, it is more desirable that the user who avoids people's computing machine one by one imports from a keyboard or other input equipment (for example mouse), and this can be by during the ROM scan operation or more generally pin keyboard during POST and other input equipment is realized.
But, during ROM scan period and initialization foundation, have some ROM adapters to encourage and need a user import, and the function that is provided in ROM scanning patent also will hinder such input.So, system in the existing field has the security that prevents the user and import (scan in patent provide as ROM) in ROM scan period, but forbid needed user's input type in some ROM adapter, perhaps allow the user to import in ROM scan period, but do not provide the safety issue that prevents improper user's input and produce, during the ROM scanning process, inappropriate user's input may destroy the safety issue in the configuration information.So the system in the existing field has worthless restriction and disadvantageous aspect.
By being provided at a system that can optionally allow the user to import during the ROM scanning process, the present invention has overcome the restriction and the disadvantageous aspect of the system in the existing field.Use this method, avoid the protection of the ROM scanning patent that the user imports normally effective, but carry out user's input or must carry out to allow to carry out such input in the situation of user's input in those hope.
Use this method, at ROM scan period, input equipment, for example keyboard is normally blocked, but imports and this user when also having the right to carry out such input when wishing to carry out such one, just can allow to import.Because be stored in some the ROM adapter code in the storer or between the starting period, need user's input, perhaps wish to allow this user's input, be desirable so when needs, can allow this user's input.The mandate that it is changed can be limited in those philtrums of being authorized to system configuration is changed, and this can realize by using suitable access rights password or supvr's password.
Advantage of the present invention is that it realizes simple, and during the Power-On Self-Test that comprises ROM scanning, can forbid effectively that usually the user imports, but when wishing, can allow to import and input is kept at the storer from the user.
During Power-On Self-Test, the present invention allows to lock and produces security function, but also allows to use the ROM adapter that needs user's input between the starting period.By reading following description about preferred implementation, and with reference to the accompanying drawings with the appended claim book, the technician in the association area will clearer other purpose of the present invention and advantage.
Some purpose of the present invention and advantage have been mentioned in the front, along with the description that the present invention is carried out, just can clearer other purpose of the present invention, and the present invention is the computer safety system and the method for an improvement, wherein:
Fig. 1 is a synoptic diagram of realizing the employed computing machine of people one by one among the present invention;
Fig. 2 is a block diagram of the personal computer of Fig. 1, and a logical diagram of personal computer memory is provided, and has shown the selected data division of being preserved in the storer of personal computer;
Fig. 3 is a logic flow about the part of the Power-On Self-Test processing of personal computer of the present invention;
Fig. 4 is an expression of an employed in the present invention ROM adapter form; In storehouse, passed to the expression of the parameter of a cryptographic check routine with Fig. 5.
In the following description of preferred implementation, realization known for inventor so far best implementation of the present invention will be described.But, the fundamental purpose of this description is to be used as wide, a general instruction of the present invention with a specific embodiment, rather than limit the present invention to as the embodiment as shown in this embodiment, particularly because those technician in this association area will recognize can be to shown and carry out many variations and change with reference to described ad hoc structure of these figure and operation, and still obtain the good like this result of the present invention.
Fig. 1 is a synoptic diagram of the computing machine of people one by one 10 useful in realizing the present invention.This personal computer 10 comprises a system unit 12, and this ps unit 12 is connected to a keyboard 14 and a mouse 16 and an output device, for example display 17 and printer 18.This keyboard 14 and mouse 16 are input equipments, and by this input equipment, the user can import, and display 17 and printer 18 are examples of an output device peripheral hardware, and by these output devices, the result of computing machine can be transmitted out.Other various input and output peripheral hardwares can use various traditional methods to be connected on the personal computer, for example card is inserted in the slot of system unit, is connected on the port and bus, for example a modulator-demodular unit, a universal serial bus, a parallel port or a USB port.Can use this method that various device is connected on this personal computer, and the many equipment in these equipment use the code that is called the ROM adapter code, the ROM adapter code is stored in the storer of system unit 12.Sometimes, various ROM adapter codes are known as the ROM adapter.One be called a process of ROM scanning during, carry out initialization set up dispose personal computer during, use the ROM adapter, this ROM scanning is by the technology in the existing field of contact, for example ROM scanning patent is described in more detail.
Fig. 2 is a synoptic diagram of the personal computer 10 of Fig. 1.In this Fig. 2, keyboard 14 and mouse 16 are connected to system unit 12 by an input interface 19.This system unit comprises to be preserved 22, one Power-On Self-Test programs 24 of an operating system and wherein preserves a storer 20 of the memory address space of ROM adapter 26.ROM adapter 26 is the code blocks that are stored in the memory address space, and relevant with the external device that can be connected to system unit 12, and allows to be based upon the starting condition in the personal computer 10 during Power-On Self-Test.In these ROM adapters some preserved with form completely, and these ROM adapters are loaded into data in the storer during Power-On Self-Test, but other ROM adapter can use the user at an input equipment, an input of for example carrying out on the keyboard 14.
Fig. 3 has shown the connection of the part of Power-On Self-Test related to the present invention.In module 27, the Power-On Self-Test process begins, and in module 28, mark is set forbids that the user imports during Power-On Self-Test, and forbid input equipment, as instructing in the ROM scanning patent.In module 30, swept memory is searched a ROM adapter.When a ROM adapter is arranged in storer, then test this ROM adapter and check whether a safety symbol 62 appears in the module 32.If there is not safety symbol 62 to exist, POST locks input equipment, activates ROM adapter initialization vector 56 then in module 29.In module 44, continue the ROM scanning process.If the ROM adapter has a safety symbol 62, just activate adapter ROM safety vector 64, input equipment is carried out release temporarily.Adapter ROM need to judge whether the user to import in module 34, and in module 35, adapter ROM need to judge whether a password or other mandate then.In module 36,, then in module 37, just test password or other and authorize and judge whether this user is authorized to if need a mandate for user input is provided; If this user is not authorized to, in module 43, POST locks input equipment, and adapter continues the execution initialization and do not carry out user's input.In step 44, continue the ROM scanning process.If this user successfully provides this mandate or password, if perhaps without any need for mandate, in module 38, forbid the mark that the user imports then with regard to removing, and the user is allowed to provide input, allows to set up the ROM adapter that needs user's input.In module 42, just provide the user to import.If in module 44, do not finish ROM scanning, then, control turns back to module 30, and the appearance of wherein searching another ROM adapter is searched the ROM adapter up to whole memory block being carried out scanning.In module 44, if finished ROM scanning, searched all storeies, then, POST continues its normal running in module 46.
As pointed in the ROM scanning patent, ROM adapter will have an indication or symbol and represent that it is a ROM adapter (value of pre-seting of the hexadecimal value AA55 in a ROM scanning adapter for example, as defined in the plug and play standard that in industry, is used), this indication or symbol are different with the data and the program of other form, and can be stored in the storer, so that it can be identified as a ROM adapter during POST.In addition,, can use any suitable method to finish locking, as by be closed in the connection between input equipment and the system unit through input interface 19 temporarily to input equipment as pointed in the ROM scanning patent.Alternatively, input equipment also can pass through other method, for example with irrelevant software or the hardware characteristics of input during Power-On Self-Test, is closed or locked.
Typically, one regulation subclass of the memory address space of personal computer 10 is carried out ROM scanning (searching the ROM adapter in module 30), typically, this memory address space is that 0C0000 is to 0DFFFF (sexadecimal), and with certain size of space, for example per 512 bytes scan, but whether in the centre, search the symbol of a ROM adapter head, for example sexadecimal AA55.As shown in Figure 4, shown a ROM head that in realizing the present invention, uses.In this showed, ROM 50 comprised 7 fields, a sign field 52,56, one reserved fields 58 of 54, one initialization vector of a length of stroke (run length) field, 60, one safety symbol fields 62 of a prolate-headed skew and a safety rule initialization vector 64.Latter two field is the expansion to the standard option ROM head of Plug and Play BIOS standard, and is convenient to realize the present invention.
As shown in Figure 5, when need considering the user to input a password to import in ROM scan period from the angle of safety, shown the form of the storehouse of the security initialization routine that will be delivered to adapter to be authorized to come.This preferably be used to with a system of the microprocessor of the X86 of an Intel compatibility, but also can be used for the microprocessor of other type by these those of skill in the art.Safety symbol field 62 is set to a selected value (sexadecimal 88DD), needs the cryptosecurity measure with indication in the past carrying out the ROM scanning process.Then, the address in field 64 is used to visit the security initialization routine among the ROM, and this security initialization routine will point out this user whether need to look at input.Before the routine in calling initialization vector 64, POST sets up storehouse as shown in Figure 5.Piece 70 is pointed out the skew that POST password prompt routine begins.Piece 72 comprises the sector address of POST password prompt routine code.Piece 74 is retained with return parameters, and piece 76 is used to return address IP, and piece 78 is used to the return address code segment.POST password prompt routine will according to circumstances be pointed out needs PAP or AP, and return to the initialization routine of adapter and whether correctly to have inputed password, and with its be stored in the storer, a value of expression proper password compares, and uses a traditional system to carry out cryptographic check.If correctly do not input password, to the ROM adapter initialization of remainder, keyboard and other input equipment will be closed.If correctly inputed password, then, this cryptographic check routine is just returned a designated symbol of successfully inputing password, and to the ROM adapter initialization of remainder, keyboard and pointing device (pointing device) interface 19 will be enabled.
Certainly, by of the description of reading front about preferred implementation, and connection with figures, these those of skill in the art will know and can much revise the present invention.For example, got in touch a password that is used for ID authentication or mandate and described an optional encryption device, and known, other person identifier, fingerprint for example, retina scanning, the geometry of symbol and hand can be authorized the people one by one who is authorized to import easily.The present invention that got in touch the function that to be performed and the test description that need be done, wherein many programs that will be stored in the computing machine are performed, and can design program according to the requirement of operating system and deviser's hobby, but its details is not a part of the present invention.Further, other code block of having got in touch the ROM adapter or having needed to import during Power-On Self-Test has been described the present invention, by using other input and At All Other Times, the present invention can determine easily when an input is normally blocked, and when optionally allows to import from a user.Can carry out a lot of other modifications to the present invention, and can not depart from spirit of the present invention.In addition, some aspect of the present invention can be favourable, and does not need correspondingly to use further feature.So the front will be regarded as merely the example of principle of the present invention about the description of preferred implementation, not have any restriction.

Claims (8)

1. computer system comprises:
A processor, tape storage and a stored programme that comprises the Power-On Self-Test program;
An input equipment that is connected to this processor;
A control relevant with the Power-On Self-Test program is used for forbidding during Power-On Self-Test carrying out an input from this input equipment, enters this storer to forbid that the user imports; With
A designated symbol that is stored in the storer, be used for during at least a portion Power-On Self-Test program, be used to allow user's input, and this processor responds to this designated symbol, and, come allowing on input equipment, to carry out user's input during the Power-On Self-Test at least by the above-mentioned control of during Power-On Self-Test, forbidding carrying out an input of interim covering from this input equipment.
2. a computer system as claimed in claim 1 further comprises a test about subscriber authorisation, the test of this subscriber authorisation whether allow the user to import during the result is used to be controlled at Power-On Self-Test.
3. a computer system as claimed in claim 2, wherein the test about subscriber authorisation is password of input, this password is compared with a licencing key that is kept in the storer.
4. a computer system as claimed in claim 2, wherein the test about subscriber authorisation is the indication of a biostatistics of people's identity sign one by one.
5. be used to operate a method of a computer system of tape storage, this computer system has an input equipment that is connected to this computing machine, and this method comprises step:
When opening this computing machine, Power-On Self-Test is carried out initialization;
During Power-On Self-Test, beginning just locks input equipment, to avoid influencing storer; With
Inspection is stored in the interior designated symbol of a ROM adapter in the storer, needs user's input with indication during Power-On Self-Test, and covers the locking to input equipment, and allows an input during at least a portion Power-On Self-Test.
6. computer method of operation as claimed in claim 5 further comprises step: before the locking that covers input equipment, need a subscriber authorisation.
7. computer method of operation as claimed in claim 6, the step that wherein obtains subscriber authorisation comprises step: the user provides a password, this password and the cipher list that is stored in the storer are compared, and and if only if this relatively is just to allow the user to carry out an input in ROM scan period under the successful situation, and allow this user to import to influence storer.
8. computer method of operation as claimed in claim 6, wherein the step that the user is authorized comprises step: the user provides the identify label of a biostatistics, the sign of this biostatistics is compared with a biostatistics identify label that is saved, to judge whether this user allows to be carried out input during Power-On Self-Test.
CN00132810A 1999-11-01 2000-10-31 Method and system for improving computer safety during ROM scanning Expired - Fee Related CN1121010C (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US09/431,728 1999-11-01
US09/431,728 US6487465B1 (en) 1999-11-01 1999-11-01 Method and system for improved computer security during ROM Scan

Publications (2)

Publication Number Publication Date
CN1308277A true CN1308277A (en) 2001-08-15
CN1121010C CN1121010C (en) 2003-09-10

Family

ID=23713169

Family Applications (1)

Application Number Title Priority Date Filing Date
CN00132810A Expired - Fee Related CN1121010C (en) 1999-11-01 2000-10-31 Method and system for improving computer safety during ROM scanning

Country Status (3)

Country Link
US (1) US6487465B1 (en)
CN (1) CN1121010C (en)
GB (1) GB2363490B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1979371B (en) * 2005-12-10 2010-11-10 鸿富锦精密工业(深圳)有限公司 Input device with locking function and locking method
CN101436135B (en) * 2007-11-15 2012-04-04 英业达股份有限公司 Initialized setting system and method of options read only memory
CN107403114A (en) * 2017-07-25 2017-11-28 郑州云海信息技术有限公司 A kind of structure and method for locking input

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005316856A (en) * 2004-04-30 2005-11-10 Toshiba Corp Information processor, starting method thereof, and starting program thereof
US20060070077A1 (en) * 2004-09-30 2006-03-30 Microsoft Corporation Providing custom product support for a software program
US8639946B2 (en) * 2005-06-24 2014-01-28 Sigmatel, Inc. System and method of using a protected non-volatile memory
US7818625B2 (en) * 2005-08-17 2010-10-19 Microsoft Corporation Techniques for performing memory diagnostics
US8549314B2 (en) 2010-04-29 2013-10-01 King Saud University Password generation methods and systems
US9367327B2 (en) * 2010-09-24 2016-06-14 Intel Corporation Method to ensure platform silicon configuration integrity

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FR2573227B1 (en) 1984-11-09 1987-01-30 Palais Decouverte SIMULATION AND SECURITY DEVICE FOR DATA INPUT KEYBOARD
US5022077A (en) * 1989-08-25 1991-06-04 International Business Machines Corp. Apparatus and method for preventing unauthorized access to BIOS in a personal computer system
US5187792A (en) * 1990-05-09 1993-02-16 International Business Machines Corporation Method and apparatus for selectively reclaiming a portion of RAM in a personal computer system
JPH06214670A (en) * 1991-04-29 1994-08-05 Intel Corp Computer system and method for initializing it
US5388156A (en) * 1992-02-26 1995-02-07 International Business Machines Corp. Personal computer system with security features and method
US5634137A (en) * 1995-01-17 1997-05-27 International Business Machines Corporation Method and apparatus for updating system configuration based on open/closed state of computer housing cover
US5724027A (en) * 1995-09-28 1998-03-03 Intel Corporation Method and apparatus for providing system security to personal computer systems using transparent system interrupt
US5742758A (en) * 1996-07-29 1998-04-21 International Business Machines Corporation Password protecting ROM based utilities in an adapter ROM
US6098171A (en) * 1998-03-31 2000-08-01 International Business Machines Corporation Personal computer ROM scan startup protection

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1979371B (en) * 2005-12-10 2010-11-10 鸿富锦精密工业(深圳)有限公司 Input device with locking function and locking method
CN101436135B (en) * 2007-11-15 2012-04-04 英业达股份有限公司 Initialized setting system and method of options read only memory
CN107403114A (en) * 2017-07-25 2017-11-28 郑州云海信息技术有限公司 A kind of structure and method for locking input
CN107403114B (en) * 2017-07-25 2020-09-22 苏州浪潮智能科技有限公司 Input locking structure and method

Also Published As

Publication number Publication date
US6487465B1 (en) 2002-11-26
GB2363490A (en) 2001-12-19
CN1121010C (en) 2003-09-10
GB0026436D0 (en) 2000-12-13
GB2363490B (en) 2004-03-17

Similar Documents

Publication Publication Date Title
US5892902A (en) Intelligent token protected system with network authentication
US8380974B2 (en) Virtual appliance pre-boot authentication
US7917741B2 (en) Enhancing security of a system via access by an embedded controller to a secure storage device
US6006328A (en) Computer software authentication, protection, and security system
US5515440A (en) Preboot protection of unauthorized use of programs and data with a card reader interface
US7149854B2 (en) External locking mechanism for personal computer memory locations
US5012514A (en) Hard drive security system
US6223284B1 (en) Method and apparatus for remote ROM flashing and security management for a computer system
CN1182678C (en) Secure boot
EP1612639A1 (en) Method for detecting and reacting against possible attack to security enforcing operation performed by a cryptographic token or card
EP2262259A1 (en) Method for monitoring execution of data processing program instructions in a security module
WO1997004394A1 (en) Computer software authentication, protection, and security system
US20050138392A1 (en) Secure method and system for biometric verification
US20040199769A1 (en) Provision of commands to computing apparatus
CN1121010C (en) Method and system for improving computer safety during ROM scanning
MX2010014464A (en) Secure memory management system and method.
WO2016078429A1 (en) Identity recognition method and apparatus
WO2004031920A1 (en) A smartcard security system for protecting a computer system
WO2000075755A1 (en) Identification device for authenticating a user
JP2004503860A (en) Data processing method and apparatus for execution of protected instructions
JP2010103967A (en) Intelligent cipher key apparatus for enhancing pin code input security and its method
EP2400422A1 (en) Method, system and secure processor for executing a software application
US20150154393A1 (en) Electronic access-protection system, method of operating a computer system, chip card and firmware component
KR101249176B1 (en) Method and apparatus for setting security of a computer system
WO2000016179A1 (en) Method and device of disabling the unauthorised use of a computer

Legal Events

Date Code Title Description
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C06 Publication
PB01 Publication
C14 Grant of patent or utility model
GR01 Patent grant
ASS Succession or assignment of patent right

Owner name: LIAN XIANG(SINGAPORE)PRIVATE LTD.

Free format text: FORMER OWNER: INTERNATIONAL BUSINESS MACHINE CORP.

Effective date: 20061027

C41 Transfer of patent application or patent right or utility model
TR01 Transfer of patent right

Effective date of registration: 20061027

Address after: Singapore Changi

Patentee after: Lenovo (Singapore) Pte. Ltd.

Address before: New York, USA

Patentee before: International Business Machines Corp.

C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20030910

Termination date: 20101031